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ONTOP Service 

ONTOP (ONline Technical OPeration) is a tool for remote failure analysis on zOS systems, 
which IBM provides along with software service contracts. 

ONTOP is available since 1986 and was used until 1999 as online service over SNA. 

Since 1999 ONTOP is also available over IP connections with an optional feature for 
transferring problem data. The following connections will be offered: 

1. ISDN/PPP/CHAP (Telnet / FTP) 

2. ISDN/PPP/IPSec (Telnet / FTP) 

3. INTERNET/IPSec (Telnet) 

This request only refers to connection method 3. 

ONTOP allows an software service specialist having access to the IBM ONTOP/NVAS 
security gateway to pass via the ONTOP network connection to the predefined ONTOP/TSO 
analysis environment on customer systems and there work on reported problems. This is: 

Bring the expert to the problem and not the problem to the expert! 
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IBM Responsibilities 

1. Add customers to IBM ONTOP/NVAS 

2. Add customers on the IBM router 

3. Provide the technical description of the connection (part of the request sheet) 

4. Support for installation, tailoring and test of ONTOP/TSO on customer systems 

5. Decision of ONTOP usage 


Customer Responsibilities 

1. Provide the necessary hardware for the network connection 

2. Implementation of the IP addresses and routes given by IBM 

3. Provide at least 3 ONTOP/TSO userids for IBM on the ONTOP system 

4. Adapt system changes to ONTOP/TSO, if it is affected 

5. Make sure IBM gets access to all resources needed during analyzing problems 

6. Inform IBM when changing connection data 


Chargement 

The ONTOP service is part of IBM software service contracts, so no additional fee has to be 
paid. 
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Copyright 

ONTOP/TSO which is installed on customer systems is “IBM Copyright”. 

Without IBM approval the customer is not allowed to copy it or make it available to third 
parties. 

Customers should never change the ONTOP/TSO code without informing IBM. 

Data Security 

Data security demands data classification. 

So everybody being owner of data must classify it’s data and only allow access to the data 
based on this classification. 

Customer data being under control of IBM is always treated as IBM confidential. 

Each IBM employee accepts, based on his working contract (which reflects to IBM policies 
and security guidelines), to do so. 

Further on IBM will accept all legal data security guidelines issued by countries where IBM 
customers are located. 

To make sure those security guidelines are followed, IBM has implemented all the necessary 
technical and organizational standards. 

We are certain, that the use of ONTOP will not provoke any security conflict but help to 
further improve your system availability. 

As confirmation to the use of ONTOP, we would like you and the responsible IBM branch 
office to sign this request and send it back to the FAX number given under IBM contact. 


Signature IBM (CE-BO) 


Signature of the customer 


Location/Date 


Location/Date 
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Customer Prerequisites 

For a customer in order to connect to IBM via Internet, he must meet the following 
prerequisites: 

1. There must be a valid IBM zOS software service contract 

2. The ONTOP host must be reachable via Internet 

3. OS/390-CS must be installed and a Telnet server must be active 

4. Customer router must have “IPSec capability” 

5. A static route must be assigned into one of the IBM reserved “private networks” 

6. Customer must not use one of the IBM reserved “private networks” 

• 192.168.69.0 SM: 255.255.0.0 

• 192.168.169.0 SM: 255.255.0.0 

IBM does not take any responsibility on customer systems. 
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Technical Description ONTOP Internet 

ONTOP Internet is a online connection between IBM (IT Center Mainz) and customer 
systems. It consists of ONTOP/NVAS on the IBM side, a ONTOP network connection 
(ONTOP/NW) and the failure analysis component (ONTOP/TSO) on customer systems. 

Components of ONTOP 

• NetView Access application (ONTOP/NVAS) on the IBM side 

• ONTOP network connection (ONTOP/NW) 

• REXX/ISPF application (ONTOP/TSO) on the customer side 

NetView Access Application (ONTOP/NVAS) 

ONTOP/NVAS on the IBM side is a certified security gateway which guarantees controlled 
and documented access of non traversing sessions between IBM and customer systems. 

Network connection (ONTOP/NW) 

The network connection is implemented as an INTERNET/IPSec connection. It is a tunnel 
connection, between a router of the IBM IT-Center in Mainz and the corresponding customer 
router. The IPSec tunnel is established when an IBM specialist selects a customer in 
NVAS/ONTOP for a TELNET session. 

The IPSec tunnel will be closed if there is no activity in a 15 minutes time frame, or after the 
user logs off from the customer system. 

REXX/ISPF Application (ONTOP/TSO) 

The REXX/ISPF application provides a “Common User Access” and a predefined 
environment for IBM failure analysis tools on customer systems. 


Page 6 


IBM Global Services TTS-SD 


21.10.02 






ONTOP Request for an Internet Connection 



Access Security 

To respond to customer requests for high security standards on Internet connections, three 

level of security will be used. 

1. ONTOP/NVAS on the IBM side makes sure, that only people having useird/password for 
this system can get access to customer systems. All activities on the gateway will be 
logged and kept for 60 days. Access without using ONTOP/NVAS is not possible. 

2. Connection security is guaranteed by IPSec. IPSec establishes a VPN (Virtual Private 
Network) over the Internet. This means encryption and authentication. 

3. Access to the customer TSO, where the ONTOP failure analysis tool is installed, is 
controlled by userid/password. 

IBM will accept any additional protection method on the customer side, as long as it doesn’t 

hinder IBM when using ONTOP. 
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ONTOP userid and password administration 

Implementation 

To implement the ONTOP userid/password administration as simple and secure as possible, 
the following RACF concept is recommended. 

• Create the ONTOP userids by using the following attributes: 

- DEFAULT-GROUP = Onnnnnnn - (nnnnnnn = 7 digit customer number) 

• Create a group called ONTOP 

• Connect all ONTOP users to group ONTOP 

• Grant “SPECIAL” to the ONTOP maintenance user - (default ONTOPOO) 

Alternately permit the admin user for Class Facility / Profile IRR.PASSWORD.RESET 
(This user must at least have update to data set *.*.TOPCNTL) 

Along with the userid administration routines delivered by ONTOP, this set up provides a 
“push button solution” to the human doing the userid/password administration. 

Usage 

For customers it is optional to maintain userid/password administration themselves, or leave 
it to the ONTOP team. If not left to the ONTOP team, customers should only provide an 
ONTOP userid if the requester is able to name the problem number he likes to work on. In 
case of uncertainty customers should ask for the IBM employee number and cross check with 
the ONTOP help desk, phone 0049-6131-84-5003. 


Advantages: 

• No password distribution 

• Only people knowing the problem number will receive a userid 

• Only people knowing the customer number will be able to use the userid 


This concept demands a minimum of 3 ONTOP userids. Depending on problem occurrence 
the number of userids should be increased. 


If there is a problem in using a dedicated ONTOP admin userid, it is also possible to use any 
other userid, as long, as the following prerequisites will be met: 

• Userid has the authority to reset the passwords for the ONTOP users. 

• Userid has at least update access to all the ONTOP data sets 

Additional customer requests can be reflected, as long as they follow the ONTOP concept. 


This concept demands a minimum of 3 ONTOP userids. Depending on problem occurrence 
the number of userids should be increased. 
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Golden rules for an efficient use of ONTOP/TSO 

The efficiency of ONTOP/TSO is directly bound to it’s usability. 

Only a ONTOP/TSO optimal maintained and perfectly adapted to the customer environment 
can provide the best efficiency possible in an unforeseen problem situation. 

Therefore the following rules should be followed when using ONTOP/TSO 


1. The ONTOP logon procedure and the control tables should always kept up to date: 

- TOPLOG " ONTOP logon profile 

- TOPENVTO ONTOP environment control tables 

- TOPENVnn ONTOP allocation control tables 

2. The IPCS parmlib members must match the level of OS/390 

- BLSCECT IPCS verbs for dump formatting 

- BLSCECTX IPCS verbs for dump formatting 

- BLSCUSER IPCS-NON-Standard Verbs for dump formatting 

- IPCSPRxx IPCS session parameter 

3. ONTOP data sets should not be candidates for migration 

4. ONTOP userids should be given a TSO region size of 256MB 

5. ONTOP userids should be placed in a optimized Service class (short batch) 

6. ONTOP usage, environment and procedure should be known to potential users 


ONLY A OPTIMAL MAINTAINED ONTOP IS OF VALUE 
A UNMAINTAINED ONTOP IS USELESS ! 
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Connection Data (please fill in) 


Hardware Router 

(z.B. IBM/Cisco/etc.) 




IPSec Definitions 


Key 


Pre-shared Keys 


Hash 

MD5 

Encryption 

3DES 

Data 


Authentication 

HMAC-MD5 

Encapsulation 

3DES 

Tunnel Address 


IP Address (Tunnel) IBM 

192.109.81.40 

IP Address (Tunnel) customer 




IP Configuration Host 


IP Address 


Host TSO Data 


Userid 


Pass wort 




IP Configuration Host (second Host) 


IP Address 


Host TSO Data 


Userid 


Pass wort 




Available IBM source addresses 

Please select one.. 

□ 192.168.69.2 (255.255.255.255) 

□ 192.168.169.2 (255.255.255.255) 
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Contacts (please fill in the customer part) 
General Customer Data 


Customer Name 


Customer Number 


Software Service Contract Number 



Customer Contact 


Name of the ONTOP contact person 


Telephone Number 


FAX 


E-Mail Address 




Name of the router expert 


Telephone Number 


FAX 


E-Mail Address 



Customer / IBM Contact 


IBM Employee Name 


Telephone Number 


FAX 


E-Mail Address 



IBM ONTOP Contact 


Name 

ONTOP Helpdesk 

Telephone Number 

06131-84-5003 

FAX 

06131-84-6611 

E-Mail Address 

ONTOP @ de.ibm.com 

Name 

Alexander Damm 

Telephone Number 

06131-84-5646 

FAX 

06131-84-6611 

E-Mail Address 

adamm@de.ibm.com 

Name 

Heinz-Dieter Hassinger 

T elefonnummer 

06131-84-5477 

FAX 

06131-84-6611 

E-Mail Adresse 

hhd@de.ibm.com 
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